PROG1350 Software Engineering Fundamentals
Questions:
Your software firm has just acquired a new piece of security software and you have been placed in charge of evaluating it. This software, called Ultracrypt, is a command-line program that encrypts and decrypts files.
You have a copy of the source code and can either run the program from a C IDE of your choice (many IDEs have options to provide command-line options when you run a program in debug mode) or compile the code and run it from the command line.
The program has several command line options which are all described by the help option which can be selected by using -?(i.e. ultracrypt -?).
When run, a new file is created that contains the encrypted or decrypted version of the file being encrypted/decrypted. The program will work with no entered password once it is compiled but can be locked by a password (see the program help text for an example of how this is done).
Your job is to look for security problems with the software and write a report for your supervisor explaining any issues you find. These issues can include things like problems with how passwords are handled to buffer over reads and memory addressing issues.
Your report should contain a description of the methodology of finding the flaws and their its location in the code, an explanation of why it is a flaw and how it could be exploited, tools used, and a recommendation of how to fix such vulnerabilities in the code.